The Spam Auditor Blog: The information nexus for the anti-spam community.

Fake Law Firm Invoices

Today’s article is about another round of fake law firm invoices. (Don’t open them, ransom ware and virus payloads). Now, typically they ‘should’ all be going to your spam folders, as the majority of them are coming from non-email servers, but if you do see one in your spam folder, you ‘might’ be tempted to open it. They are using a unique call to action, that might trick the average reader. (NOTE: Foul language ahead, but we wanted to show the exact message)

<html>
Who the fuc(fill in blank) are you and why is there a charge from (insert your domain here) on my
card?<br>
Here you can view my statement , get back to me asap.<br>
<br>
<a href="http://www.unotrading.co.jp/api/get.php?id=c2FsZXNAd2l6YXJkLmNh">b
ofa_card_statement_(insert your email here).doc</a><br>
<br>
Thank you<br>
William Moore<br>
</html>

Now, you may be tempted to open it just based on that sense of urgency, but imagine if it also claimed to be from a law office. You might be even more concerned. In today’s case, it came from a law firm called “cadwalader” (Cadwalader, Wickersham & Taft LLP), a legitimate law firm if you checked, making it seem more real. Of course it didn’t come from them, and tomorrow they (spammers) will be using a different law firm. And of course, the name of the document has your name in it, and they seem to know your company.

Oh, BTW, if you are a Law Firm, PLEASE by all means, get your email administrators to set up an SPF record to help stop malicious people from forging emails from your domain.

host -t TXT cadwalader.com
cadwalader.com has no TXT record
host -t SPF cadwalader.com
cadwalader.com has no SPF record

They ‘could’ do even worse than simply send ransom ware to unsuspecting citizens.

Now, this of course was sent from a compromised device that appears to be some form of Windows operating system, but it could be anything, a smart TV in the board room for instance, but it usually comes home style cable/dsl connections.

But when millions of these start going around the world, you KNOW some are getting clicked on. Simple spam protection should stop the botnets.. And most of these are already on blacklists, but not everyone uses them to block, and someone could think this is a false positive. And coming from a real company domain, it might even be ‘whitelisted’ in some places.

Just because your email appears to come from a law firm, doesn’t mean that it does. If you didn’t expect an email from a person, DO NOT OPEN the attachment.